Protecting WordPress from Magic Include Shell

11 years ago in Articles by Brent | 14 Comments


digg-icon.jpgI have spent the majority of this week fighting off an attack on WordPress (WP). After a lot of searching and some really helpful friends, I believe we have kicked this virus to the curb. Basically this attack exploits an open vulnerability in WordPress admin. Specifically, the “options.php” file inside the admin directory. From what I have found, this has not been fixed even in the most recent versions of WP. The program left behind in the attack is called Magic Include Shell and it’s a nasty little bugger.

Magic Include Shell gives an attacker the equivalent to console access, which means that the attacker can upload and execute arbitrary code. In other words, one should be extremely careful to ensure that the problem has been fully mitigated. I will attempt to cover the basics on the symptoms, removal and prevention of this nasty little bug.

Here’s the breakdown:


  • All WP Plugins become inactive.
  • Upload dir is changed to something like: “/../../../../../../../../../../../../../../../../../tmp”.
  • A file named: “ro8kfbswmag.txt” or similar is uploaded to this dir.
  • When publishing a post you get a blank screen.

If you are suddenly not able to post to your WP blog meaning all you get is a blank screen after you post and the post doesn’t save to the DB, you could have been attacked. Look through your admin to see if any of the symptoms are there, if so, there’s a set of steps you need to follow to remove the intrusion.


  • You will need to log into your server at the root level and remove the file.
  • Deactivate all your plugins via either the admin screen or in your DB. NOTE: doing a one by one deactivation will not cut it. You have to do the “deactivate all” (newer versions of WP) or do it via a SQL call like the one mentioned in the article below.
  • Reactivate your plugins one at a time.
  • Change your upload dir back to what it was. [WP Admin > Options > Miscellaneous]
  • Change every password you can think of.
  • Look through your upload dir and see if there are any hidden files you don’t want in there. Usually these are hidden with a preceding “.” so you will need to make sure your FTP program is showing system or hidden files.


  • Set a server level password on your “wp-admin” folder (or whatever folder you have your admin stuff in).
  • Make sure all your dirs are protected according to WP documentation.

Thanks to a lot of help from the boys over at Media Temple, this little exploit has been protected (for now). Hopefully the WP crew is working on this and will fix it in the next release. Until then, we gotta protect our WP with a little extra server-side assistance.

Other Resources

Hopefully this helps wage the war from what appears to be a Russian born WP virus. We’ll see, but for now, if you are having this problem, hopefully this little article helps you out. If you know of any other exploits and how to fix them, please post links via comments below. My fingers are crossed. Let’s hope this works!

Related Posts

Hacking Twitter to get my tracking back Hacking Twitter to get my tracking back I don't know about you but I have been going through some serious withdrawl ever since Twitter killed the track feature: While I was out at NME this year, I started ...

Unwrapped a new Mac?

iBoughtAMac aims to deliver a well rounded collection of information for the Mac user. You've got questions, iBoughtAMac hopes to have the answers. If, after browsing the archives your question has not yet been answered, shoot us a friendly email at